New Forensics Tool Goes Back in Time for a Hi-Res Look at Cyberattacks

When things happen suddenly, a closer look can come in handy. Watching a football game, for instance, sometimes you don’t really “see” a play until you’ve seen the replay–and in high-resolution, super slow-motion, no less. Was the toe in bounds? Did the ball bobble? Have the myriad conditions of the confounding catch rule been met?

A team at the Georgia Institute of Technology, backed by the Defense Department’s research arm, is developing tool that will give cybersecurity investigators that kind of look at a cyber intrusion, quickly providing layers of detail not currently available, in what researchers say is the first instance of automated forensics. Called Refinable Attack Investigation, or RAIN, the system can help investigators determine how an attack occurred, the path it has taken–even if the intruders tried to cover their tracks–and what level of response is required.

“You can go back and find out what has gone wrong in your system, not just at the point where you realized that something is wrong, but far enough back to figure out how the attacker got into the system and what has been done,” Wenke Lee, a co-author of the paper and the co-director of Georgia Tech’s Institute for Information Security & Privacy, said in a statement.

That kind of information is essential to mitigating the impact of an attack, whether it comes via phishing, an exploit of an unpatched vulnerability or insider manipulation. US-CERT’s guidelines for Federal cyber incident response, for example, identifies “greater quality of information” as the first step in enabling response teams to classify an attack’s severity and determine a response.

Current cybersecurity techniques do this now, but they often are limited by two restraints: manpower and storage requirements. RAIN automates what has been to date a mostly manual, time-consuming process, continuously monitoring a network for signs of potential trouble. Along the way, it analyzes and logs events that could be of interest later, rather than saving all activity, which lightens the storage load. System logs have always been useful in reviewing an attack, but concerns over storage requirements have limited the amount of detail in the logs.

RAIN’s selective approach “effectively prunes out unrelated processes and determines attack causality with negligible false positive rates,” the authors said during a presentation in October for the Association for Computing Machinery’s Conference on Computer and Communications Security.

“We organize information in a hierarchical way, and for each level apply a different type of automated analysis,” said Taesoo Kim, one of the paper’s co-authors. “At the deepest layer, we can tell what happened at the byte level.” That hierarchical approach allows for the flexibility of running an analysis offline and enables a fine-grained approach that would be cost-prohibitive for a conventional system, the research team said.

RAIN, which is being funded under a four-year program by the Defense Advanced Research Projects Agency, along with the Office of Naval Research and the National Science Foundation, is in its third year of development, with the research team planning further improvements before making the system available to industry and, of course, government. It’s expected to operate as an independent system, checking and logging other security systems to produce a replay and analysis of intrusions, Lee said.